SpamAssassin scoring anomalies since WHM 11.52

mtindor

Well-Known Member
Sep 14, 2004
1,378
69
178
inside a catfish
cPanel Access Level
Root Administrator
Hello,

I've got five machines on 11.52 now. Ever since updating to 11.52, some part of the updated SpamAssassin is causing significant amounts of legitimate email to be scored much much higher than it should be.

My typical configuration:
a. SpamAssassin enabled per user
b. Default Spam Score 5
c. Many customers set SpamAssassin autodelete at somewhere between 5 and 9
d. DCC / Pyzor / Razor2 / iXhash

Ever since 11.52 and the newly updated rules and addition of P0f.cf and KAM.cf, I am seeing very significant amounts of email with spam scores well above 10 -- emails that are absolutely legitimate and should never be scoring anywhere near that value.

I really have to call foul and suspect that something is thoroughly amiss in the current SpamAssassin.

Sure, many admins/end-users may never be using "auto-delete", and sure if a customer is using "auto-delete" they should be prepared for the possibility of potentially devnull'ing legitimate email. However, historically [for years] I've run this setup this way with nary a complaint from a customer and nary a sign of a false positive devnull. That is, until 11.52 came out.

Now on some accounts I'm seeing 75% of a customer's legitimate inbound email being devnulled. Even if they set their auto-delete score up to 8, something in SpamAssassin is causing legitimate emails to score so much higher now (10 and above) that it is really wreaking havoc.

I think somebody at cPanel really needs to look into what is going on. Sure, new spamassassin updates should be nailing more spam -- but it definitely should not be nailing more legitimate email.

I've got one customer who between Nov 8 and Nov 17 had 1947 legitimate emails devnulled -- emails that were historically always passing through with spam scores well under '5'.

Does anybody know if there is a way to BULK disable SpamAssassin Autodelete on ALL accounts on the server? When I disable auto-delete, there are going to be tons of emails coming in that the users haven't gotten for the past week and they will have [SPAM] in the subject line. Disabling / adjusting auto-delete will not solve the problem. the problem is somewhere else -- legitimate email should not be scoring so much higher in the spam score.

Mike
 

mtindor

Well-Known Member
Sep 14, 2004
1,378
69
178
inside a catfish
cPanel Access Level
Root Administrator
Disappointed -- both in my self and cPanel.

In Exim Configuration Manager --> Apache SpamAssassin Options the following are new / enabled by default:

KAM
P0F
BAYES_POISON_DEFENSE
CPANEL's custom stuff used at CPANEL.NET

I disabled them all. I'm sure this nifty combination is what has created havoc on my servers, and I don't have time right now to even bother to try to figure out specifics.

Be forewarned that if you have all of those enabled, you too could very well be having much of your/your customers' legitimate email scored higher than it ought to be.

mike
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
I disabled them all. I'm sure this nifty combination is what has created havoc on my servers, and I don't have time right now to even bother to try to figure out specifics.
Hello :)

Thank you for taking the time to update this thread with your findings. I've not seen significant negative feedback on the decision to enable these options by default, but I encourage anyone else to voice their concern here if it's resulting in false positives.

Thank you.
 

Doctored Watson

Registered
Jan 20, 2016
1
0
1
London
cPanel Access Level
Root Administrator
Hello :)

Thank you for taking the time to update this thread with your findings. I've not seen significant negative feedback on the decision to enable these options by default, but I encourage anyone else to voice their concern here if it's resulting in false positives.

Thank you.
I'm having the same issue, although it's the kam.cf rules that seem to be the main culprit for me. I think some of them are incredibly aggressive, particularly the scoring. Eg, the following scored 9 points due to KAM_COMPROMISED:

"Hey Watson
Tried calling you X

Sent from my iPhone"

I understand that there is spam that looks like this, but a lot of legitimate email does as well.